“SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.”

Most common SQL injections are:

1. Incorrectly filtered escape characters

Most common is Quote or Special character handling

2. Incorrect type handling

Brazil incident fall into this category

3. Vulnerabilities inside the database server

WSJ incident fall into this category : BAD password!

4. Blind SQL injection

Result of this attack is not visible to hacker but it can help to exploit more SQL injections.

conditional responses

conditional errors

execute long running queries

You can avoid these catastrophic SQL injections by little care during the web application coding such as using bind variables, verify input values and take care of escaping characters. Database level security such as password and access control also help to avoid SQL injections.